This is one of the things that's bothered me with it - in a similar vein to VATMOSS, GDPR will probably have more of a burden on smaller businesses, whereas larger business will have the development/consultant resource to get it right, and have those larger law firms to provide that "extra context" to brush things under the carpet if something goes awry.
The ICO seems reasonable, so hopefully they won't crush a small software shop for fucking up on something, but they're going to want to go after some people to send a message at some point. I'd guess you'd want to check that professional indemnity insurance policy, just in case.
It is, of course, all down to context. You need to show that you at least took the guidance seriously and tried to mitigate things. A notice of "collect ALL THE THINGS" won't fly, as you're basically admitting you're not prepared to consider it.
I think you're right on the social media sharing thing, it should be fairly well handled by the OAuth notices from most networks (I'd have guessed - "allow this app to post on my behalf" counts as consent?), but yeah, can't be taken as a given. IANAL, of course.
> This is one of the things that's bothered me with it - in a similar vein to VATMOSS, GDPR will probably have more of a burden on smaller businesses
In a weird way, VATMOSS and GDPR kind of work together on this...most things we collect at work that will be covered by GDPR are collected because of VATMOSS.
VATMOSS requires that we be able to justify what country's VAT we collect on a given online purchase with two pieces of "non-contradictory" evidence. So, right there we have to collect at least two things that provide location data about the customer, and GDPR expands the definition of personal data to include location data. I say "at least" because since it is required to have two non-contradictory pieces of evidence, it's prudent to collect at least three.
I think we currently use: (1) country the person selected from the "Country" drop-down on our site, (2) GeoIP at time of purchase, (3) GeoIP at time of filling out quarterly VATMOSS report, (4) GeoIP on IP addresses that they have used when downloading updates, (5) Country of bank that issued the credit card or debit card used for the purchase.
The ICO seems reasonable, so hopefully they won't crush a small software shop for fucking up on something, but they're going to want to go after some people to send a message at some point. I'd guess you'd want to check that professional indemnity insurance policy, just in case.
It is, of course, all down to context. You need to show that you at least took the guidance seriously and tried to mitigate things. A notice of "collect ALL THE THINGS" won't fly, as you're basically admitting you're not prepared to consider it.
I think you're right on the social media sharing thing, it should be fairly well handled by the OAuth notices from most networks (I'd have guessed - "allow this app to post on my behalf" counts as consent?), but yeah, can't be taken as a given. IANAL, of course.